On Wed, September 17, 2014 1:53 pm, James Meason wrote: > Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)
Hi James, ClamAV team have created a signature which helps block double attachments, in much the same way that the Sanesecurity foxhole sigs have been doing for a while now. However, I think they'd gone slightly overboard... here's the sig... daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([ _.-](7z|avi |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|as|awk|bin|c ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh |swf):*:*:*:*:*:* foxhole_filename.cdb will do a similar job, but has been made as flexable as possible for the end_user to whitelist for extension type and only contains double extensions that have been actually seen carrying malware. To whitelist... printf Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2 restart clamd Cheers, Steve Sanesecurity.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml